[mod-security-users] Nulls in post cause false negative (Bug?)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Nulls in post cause false negative (Bug?)
|
From: <sre...@g8...> - 2003-08-28 18:25:12
|
I recently build mod_security and incorporated it into an apache
1.3.28 installation.
First, I'd like to say that this looks like a very useful package.
Nice job!
Second, I'd like to report what seems to be a bug in POST_PAYLOAD
scanning.
I have the following directives
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:400"
SecFilterCheckURLEncoding On
SecFilterForceByteRange 32 128
SecAuditEngine On
SecFilterScanPOST On
SecAuditLog logs/localhost/mod_security_audit.log
SecFilterSelective "POST_PAYLOAD" "chicken" "deny,log,status:501"
The following code (perl) creates a post that successfully generates a
filter hit.
use HTTP::Request::Common;
my $request =
POST($ARGV[0],
[ a => "so much depends",
b => "upon a red wheelbarrow",
c => "glazed with rainwater",
d => "beside the white chickens"]);
mod_security: Access denied with code 501. Pattern match "chicken"
at POST_PAYLOAD.
That's great. However, the following is allowed to pass (HTTP 200)
my $request =
POST($ARGV[0],
[ a => "so much depends",
b => "upon a red wheelbarrow",
c => "glazed with rainwater",
d => "beside the white ^@ chickens"]);
Where "^@" is an ASCII null, which gets encoded and sent as "%00".
Is this the desired behavior?
Thanks.
--
Steve
|
